[SRU] wsl-pro-service version 0.1.18 for Plucky, Oracular and Noble

Bug #2106757 reported by Carlos Nihelton
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
wsl-pro-service (Ubuntu)
New
Undecided
Unassigned
Noble
New
Undecided
Unassigned
Oracular
New
Undecided
Unassigned
Plucky
New
Undecided
Unassigned

Bug Description

[ Impact ]

This release of wsl-pro-service brings latest enhancements we would like to make sure all of our supported
customers will have access to these improvements on all releases as we approach the GA of Ubuntu Pro
for WSL, system which this service is a key part of.
As before, this service is only applicable for Ubuntu on WSL, its service unit is contained to not even start
if the condition `ConditionVirtualization=wsl` is not met. As we don't publish nor advertise interim releases
of Ubuntu on WSL, we're mostly releasing this version to Oracular and later to ensure the package stays available for
future releases as well as for covering the small percentage of users who `do-release-upgrade` their
instances.

The most important changes are:

 - Upgrade to the latest Go toolchain to address vulnerabilities GO-2025-3563, GO-2025-3447 and GO-2025-3373.

 - Reduce the duration under which wsl-pro-service remains running without being connected to the Windows side:
    * That allowed the service to spam the system's journal with too often complaints of connection retrials.
    * The existing behaviour was already highlighted by some users when reporting issues, not necessarily
    caused by this service, such as:
      . https://github.com/microsoft/WSL/issues/12433#issue-2768853006: Here users misunderstood it as an
    issue issue because of how often that message appears.
      . https://github.com/microsoft/WSL/issues/11522#issuecomment-2148499450: Here an example of systemd journal
    showing too many logs of wsl-pro-service.
    * With the current implementation we reduce the number of connection attempts and increase the duration
    systemd takes before restarting the service.

 - Increase systemd confinement:
    * Due a bug in ubuntu-pro-client we had to reduce the restrictions in the systemd unit in the past to let
    it subprocess livepatch, even thought that's not applicable under WSL.
    * That bug is fixed in v35 being SRU'ed in LP: #2083973

 - Prevents unnecessary re-registration with Landscape
    * by passing the CLI flag --register-if-needed when subprocessing landscape-config.

[ Test plan ]

== 1. Less loging:

* Make sure the Ubuntu Pro for WSL Windows agent is not running:
  - On Windows run `taskkill /f /im ubuntu-pro-agent.exe`
  - Depending on the OS settings elevated permissions might be required.
* Install wsl-pro-service version 0.1.18 on Ubuntu on WSL (Noble, Oracular and Plucky should behave exactly
the same)
* Follow it's journal with `journalctl -f -u wsl-pro.service`
* Notice that it starts logging connection attempts too often, backing off exponentially up to 1min interval.
  Approximately 10 minutes after attempting to connect without success, it silents.
* systemd should take approximately 20 min to attempt to restart the unit.

== 2. Pro attachment works under systemd restrictions and without livepatch being installed.

(Most of this test case would be testing ubuntu-pro-client v35 indeed, but we must verify that our integration
is not harmed with the changes in wsl-pro-service systemd confinement)

* Create a fresh instance of Ubuntu on WSL:
  - On Windows run `wsl.exe --install -d Ubuntu`
* Install ubuntu-pro-agent v35 (currently available via the `-proposed` repository)
* Make sure livepatch is not installed: `sudo snap remove canonical-livepatch`
* Make sure the Ubuntu on WSL instance is not pro attached: `pro status` (`pro detach` if needed).
* Install wsl-pro-service version 0.1.18 on Ubuntu on WSL (Noble, Oracular and Plucky should behave exactly
the same)
* Install Ubuntu Pro for WSL (download the latest production build from https://github.com/canonical/ubuntu-pro-for-wsl/actions/runs/14386282882/artifacts/2921576467)
* Follow this guide to attach your Pro token: https://documentation.ubuntu.com/wsl/en/stable/tutorials/getting-started-with-up4w/#set-up-ubuntu-pro-for-wsl
* Follow it's journal with `journalctl -f -u wsl-pro.service`:
  - If pro-attaching fails because of systemd restrictions we should see some "permission denied" or "bad system
  call" errors in the journal.
  - If the livepatch fix was not correct, we should see mentions to `canonical-livepatch` in the journal.
  - Both conditions should be considered a failure. Otherwise, proceed.
* Confirm pro attachment `pro status` inside the Ubuntu instance.
* Finally assert that canonical-livepatch remains not installed on this machine.

== 3. (Optional) wsl-pro-service outside of WSL

(Ensures the unit does nothing outside of WSL)

* Install wsl-pro-service on an instance of Ubuntu 24.04 (or later) on any platform other than WSL (Desktop,
Server bare-metal or VM, OCI containers).
* Verify that the unit is disabled due unmet condition: `systemctl status wsl-pro.service`

[ Where problems could occur ]

Up until now, wsl-pro-service remains running all the time the unit is alive, thus anytime a user installs the
Ubuntu Pro for WSL application on Windows they could expect the communication with the Windows agents to start
briefly.

With the behaviour changes, that won't be the case always, as the service could just had quit seconds before
and systemd will take about 20min to restart it. Users can always `sudo systemctl restart wsl-pro.service`.

Since the entire system is not yet generally available the number of users affected by this behaviour change
is very minimal, comprising of a handful of beta testers and internal collaborators (such as the
Landscape team).

If the changes in wsl-pro-service landed before ubuntu-pro-client v35, we'd have issues with livepatch already
described. I judge that as almost impossible since the SRU bug LP: #2083973 is older and is very likely to
handle any regressions in time.

[ Other Info ]

I purposefully skipped testing the changes related to Landscape because it's too complex to set up a server
just for this purpose.

We upgraded many vendored Go dependencies, thus they comprise a huge part of the diffs.

[ Changelog ]

wsl-pro-service (0.1.18~22.04.1) jammy; urgency=medium

  * Pin Go toolchain to 1.23.8 to fix the following security vulnerabilities:
    - GO-2025-3563, GO-2025-3447 and GO-2025-3373 (LP: #2106757)
  * Allows the service to quit for longer period of time if the Windows agent
    is not reachable.
      - resulting in less logging to system journal.
  * Removes workaround for livepatch no longer needed since pro-client v35
      - systemd service is more confined again.
  * Prevents unnecessary re-registration with Landscape
      - by passing the CLI flag --register-if-needed to landscape-config.
  * Upgrades various golang dependencies.

 -- Carlos Nihelton <email address hidden> Thu, 10 Apr 2025 13:50:32 -0300

wsl-pro-service (0.1.5) oracular; urgency=medium

  * Fix UserProfileDir when %USERPROFILE% is empty
  * Fix for empty field for landscape SSL public key
  * Prevent subprocesses to sent notification to systemd
  * Workaround livepatch disable failure
  * Remove now unused hostagent UID and move it to our GRPc part
    in landscape protocole
  * Force all subcommands to run with LC_ALL=C
  * Removes dependency on /etc/resolv.conf
  * Fix logging level in config
  * Upgrade to Go 1.23
  * Annotate assertion on int conversion check with bitSize 32
  * Add some more tests and enhanced/cleanup existing ones, including mocks
  * Fix some flaky tests
  * Update some vendored dependencies
  * Fix some vendoring scripts

 -- Didier Roche-Tolomelli <email address hidden> Tue, 10 Sep 2024 13:24:08 +0200

wsl-pro-service (0.1.4) noble; urgency=medium

  * Vendor manually on the host as the go mod vendoring when using
    dpkg-buildpackage works in a different environment.

 -- Didier Roche-Tolomelli <email address hidden> Fri, 19 Apr 2024 07:56:41 +0200

description: updated
no longer affects: wsl-pro-service (Ubuntu Plucky)
Revision history for this message
Carlos Nihelton (cnihelton) wrote :
Revision history for this message
Carlos Nihelton (cnihelton) wrote :
Revision history for this message
Carlos Nihelton (cnihelton) wrote :
summary: - [SRU] Fix too much logging and fix vulnerabilities GO-2025-3563,
- GO-2025-3447 and GO-2025-3373
+ [SRU] wsl-pro-service version 0.1.18 for Plucky, Oracular and Noble
description: updated
Revision history for this message
Carlos Nihelton (cnihelton) wrote :

Proof of builds with the already attached debdiffs can be found on the following PPA links.
Their version numbers are suffixed with the "~ppaN" to ensure version released in the archive will override the PPA version afterwards.

Plucky:
- AMD64: https://launchpad.net/~cnihelton/+archive/ubuntu/pplayground/+build/30628325
- ARM64: https://launchpad.net/~cnihelton/+archive/ubuntu/pplayground/+build/30628326

Oracular:
- AMD64:https://launchpad.net/~cnihelton/+archive/ubuntu/pplayground/+build/30628336
- ARM64:https://launchpad.net/~cnihelton/+archive/ubuntu/pplayground/+build/30628337

Noble (for this I just uploaded the source as it was instead of rebuilding the source package from the debdiff to ease sponsorship, thus no "~ppaN" suffix in the package version):
- AMD64: https://launchpad.net/~cnihelton/+archive/ubuntu/pplayground/+build/30630087
- ARM64: https://launchpad.net/~cnihelton/+archive/ubuntu/pplayground/+build/30630088

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.